Pages

Thursday, June 16, 2011

Encryption Service Providers Would Not Be Banned In India

Encryption related issues have always posed problem for our intelligence agencies and law enforcement agencies. Unable to deal with the encrypted services, the intelligence and law enforcement agencies of India tried to adopt the next possible approach. They decided to take the easier route of eavesdropping and e-surveillance instead of developing the cyber skills.

Naturally, the threats to ban encryption service providers like research in motion’s (RIM) Blackberry, Gmail, Skye, etc was the measure of last resort for our central home ministry. However, home ministry of India did not realise the effect of this decision and now this decision seems to be haste one.

A government panel set up to examine security threats regarding 15 forms of communications that cannot be tracked by law enforcement agencies here, has recommended that no service be banned purely on the grounds that it cannot be monitored.

It has recommended that in the short term, India should force operators who offer such services to either locate servers in the country or share encryption keys with security agencies and assist security agencies here in monitoring these services.

As a long-term solution, the committee has recommended that the upcoming Central Monitoring System (CMS) be made capable of intercepting any form of communication service offered within the country.

It has also endorsed the telecom ministry's stance that the ultimate solution should involve intelligence agencies building up capabilities indigenously to monitor and intercept these technologies. The panel has also added that security agencies must avail the help of companies to build such capabilities.

The committee has said that security agencies must first check whether monitoring solutions are available in other counties before threatening to ban any specific communication service.

Before banning or blocking of encrypted communication impact on business and industry, e-commerce, e-governance, e-medicine, e-health, passport services etc should be taken into consideration. Further, banning or blocking services without providing an alternative may have international reactions and could affect other Indian industries such as BPO and IT outsourcing.

The government panel, with members from different ministries, including telecoms and IT, has also recommended that India raise its encryption levels from the present 40 bits to 256 bits, which is the standard in Europe and the US. Most western countries do not allow financial transactions on the internet through computers and mobile handsets, if the encryption level is less than 128 bits. India on the other hand does not legally allow encryptions beyond the 40-bit on the grounds that its security agencies lacked the technological capabilities to monitor data transfers on the internet when the coding is beyond this limit.

However, the Home Ministry and Intelligence Bureau (IB) whose members were part of the panel, have not signed these recommendations and have given their dissent note. The IB has said the recommendations by the panel shift the onus on encryption and decryption from mobile phone companies to the 'designated agency' (CMS) authorised by the home ministry, when 'current experience was that government agencies were unable to track such services'. It has also pointed out that it may be impossible to persuade foreign players to locate servers in India or share encryption keys with security agencies here as recommended by the panel.

Finally, there are no legal frameworks for intelligence agencies, law enforcement agencies, data protection, privacy protection and data security. These legal frameworks must be at place so that legal and constitutional intelligence gathering can be taken place. India has to cover a long gap before all these requirements and capabilities are developed.